JP6731687B2 - Automatic mitigation of electronic message-based security threats - Google Patents

Description

The present invention relates to systems, methods, and computer-readable media for electronic message-based automatic threat mitigation.

Email phishing attacks, like the introduction of malware into computer devices, have become one of the most common directions for unauthorized acquisition of sensitive personal information. Successful detection of phishing attacks can be difficult. Especially because the boundary between email spam and phishing can be very small. Because new phishing threats are emerging and evolving on a regular basis, we take appropriate action on our email service users when we determine they may have received emails containing phishing attacks. Education is difficult. Therefore, it is beneficial to take steps to automate the detection and containment of these threats.

Phishing attacks usually take the form of email messages sent to a large number of users. Such email messages may include text or images that the user asks to perform a particular action. This action may refer to a hyperlink such as a uniform resource locator (URL). The hyperlink may lead to a forged website that mimics the look of an actual website and encourages users to enter sensitive personal information (eg, user IDs and passwords). .. Alternatively or additionally, the act may be that the user downloads an attachment included in the email message. The attachment may include an executable that, when activated, installs malware on the user's computing device.

The impact of phishing attacks can be catastrophic to individuals and businesses, whether or not precise techniques are used. In addition to potential financial losses, hundreds or even thousands of people may spend hours determining the scope of phishing attacks, identifying infected devices, and containing and eradicating threats. .. Therefore, techniques that can be used to improve detection and response of phishing attacks would be beneficial.

In particular, companies and other organizations are encouraged to encourage users to report suspected phishing attacks to security experts. For example, a user may suspect that a received email message is a phishing attack. Users can forward email messages to pre-established mailboxes. Security professionals can look at email messages in this mailbox to determine if a suspected phishing attack is a real threat. In this case, the security expert can assess the extent of the attack. This is to establish how many other users have had the same or similar phishing attacks, and whether any of these users have taken any of the actions associated with the phishing attacks, and Assessing the impact and updating and phishing security policies at security enforcement points (eg firewalls, email servers, intrusion detection systems, intrusion prevention systems, anti-malware applications running on endpoint devices). It can include mitigating or eradicating the effects of an attack.

This process can take hours or even days, even for experienced security professionals. During such periods, the attack can spread unchecked and interfere with the proper functioning of tens, hundreds, or thousands of devices. Undoubtedly, technical solutions that reduce the period of detection, containment, and eradication of these threats are needed to welcome and perhaps proactively protect against invisible attacks.

This embodiment provides a technical improvement in how phishing attacks are detected, evaluated and mitigated in managed networks. When a possible phishing attack is detected (eg, reported by a user or automatically detected), a copy of the suspicious email message is sent to an email account or another destination. Once received, the suspicious email message is scanned for observable indicators of phishing. These may include certain patterns or inconsistencies in the header of the suspicious email, links to specific URLs in the body of the suspicious email message, certain attachments included in the suspicious email, etc. is there. Updated to prevent subsequent email messages with the same or similar observable indicators from reaching the user's email inbox if it was determined that the observable indicators were associated with a phishing attack Security policies may be provided to one or more security enforcement points within the managed network. If it is determined that the observable indicator is not associated with a phishing attack, the email spam filter on the managed network can be provided with the updated policy. In this way, subsequent spam emails are less likely to be delivered to the user's email inbox. Thus, these embodiments also reduce the "noise" for security personnel and help focus their resources on actual and imminent threats.

Accordingly, the first exemplary embodiment may include a security enforcement point device located within the managed network. The security enforcement point device applies a security policy to protect the computing device on the managed network from security threats. The first exemplary embodiment may also include a security decision point device located within an instance of the remote network management platform computer. Here, the instance of the computer is in charge of the managed network. The security decision point device can also be configured as follows. The device can be configured to receive messages via the managed network. The message was obtained by a particular computing device in the computing devices. The device may be configured to parse the message to identify observable indicators of one or more security threats. The observable indicator includes at least one of a network address, a hyperlink, or an indication of an attachment. The device can be configured to remotely query the security threat database for observable indicators. The device can be configured to receive from the security threat database an indication that the observable indicator is associated with a particular security threat. The device can then be configured to send a command to the security enforcement point device to update its associated security policy such that the particular security threat is mitigated. Reception of the command causes the security enforcement point device to change its operation according to the updated security policy.

The second exemplary embodiment may include receiving a message via a managed network at a security decision point device located within an instance of a computer of a remote network management platform. The message is obtained by a particular computing device located within the managed network. Then, the instance of the computer is in charge of the managed network. The second exemplary embodiment may also include parsing the message by the security decision point device to identify one or more observable indicators of the security threat. The observable index includes at least one of a network address, a hyperlink, and a display of an attached file. The second exemplary embodiment may also include remotely querying a security threat database for the observable indicator by the security decision point device. The second exemplary embodiment may also include receiving, by the security decision point device, an indication from the security threat database that the observable indicator is associated with a particular security threat. The second exemplary embodiment also provides the security enforcement point device such that the security enforcement point device mitigates the particular security threat to the security enforcement point device located in the managed network. Sending a command to update the security policy of the. Reception of the command causes the security enforcement point device to change its operation according to the updated security policy.

In a third exemplary embodiment, an article of manufacture can include a non-transitory computer readable medium having program instructions stored thereon, the program instructions stored on the medium being executed by a computing system. The computing system can then be caused to perform the operations in accordance with the first and/or second exemplary embodiments described above.

In a fourth exemplary embodiment, a computing system can include at least one processor, memory and program instructions. Program instructions may be stored in said memory, and, when executed by at least said one processor, to said computing system said first and/or second exemplary Operations according to the embodiments may be performed.

In the fifth exemplary embodiment, the system can include various means for performing each of the operations of the first and/or second exemplary embodiments described above.

These as well as other embodiments, aspects, advantages, and alternatives will become apparent to those of ordinary skill in the art by reading the following detailed description, with reference where appropriate to the accompanying drawings. Also, this summary and other descriptions and figures provided herein are merely illustrative of embodiments and, as such, many variations are possible. For example, structural elements and processing steps may be rearranged, combined, distributed, removed, or otherwise modified and remain within the scope of the claimed embodiments.

3 illustrates a schematic diagram of a computing device, according to an example embodiment. 3 illustrates a schematic drawing of a server device cluster according to an exemplary embodiment. 2 illustrates a remote network management architecture according to an exemplary embodiment. 1 depicts a communication environment including a remote network management architecture, according to an example embodiment. 6 illustrates another communication environment including a remote network management architecture, according to an example embodiment. 6 is a flow chart according to an exemplary embodiment. 3 is an example of an electronic message and header according to an exemplary embodiment. 7 is another example of an electronic message and header according to an exemplary embodiment. 3 is a network architecture for security threat detection and mitigation according to an exemplary embodiment. FIG. 6 is a message flow diagram according to an example embodiment. 6 is a flow chart according to an exemplary embodiment.

Examples of methods, apparatus, and systems are described herein. The words "example" and "exemplary" are used herein to mean "serving as an example, instance, or illustration." Any embodiment or feature described herein as "exemplary" or "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments or features, even if not so described. Absent. Thus, other embodiments may be utilized and other changes may be made without departing from the scope of the means provided herein.

Therefore, the exemplary embodiments described herein are not limiting. It is readily apparent that aspects of the disclosure may be arranged, replaced, combined, separated, and designed in a wide variety of different configurations, as generally described herein and illustrated in the figures. To be understood. For example, the separation of functionality into "client" and "server" elements can occur in many ways.

Furthermore, the features illustrated in the figures may be used in combination with each other, unless the context indicates otherwise. Thus, the figures should generally be viewed as components of one or more overall embodiments, with the understanding that not all features are required for each embodiment.

Further, the recitation of elements, blocks or steps in the specification or claims is for the sake of clarity. Therefore, such an enumeration should not be construed to require or imply that these elements, blocks, or steps are performed according to a particular arrangement or in a particular order.

<I. Introduction>
Large enterprises are complex entities with many interoperations. Some of these can be found throughout the enterprise, including human resources (HR), supply chain, information technology (IT), and finance. However, each company also has its own management that provides essential functionality and/or creates a competitive advantage.

To support widely practiced operations, companies typically use off-the-shelf software applications such as Customer Relationship Management (CRM) and Human Capital Management (HCM) packages. However, custom software applications may be required to meet unique requirements. Large companies often have dozens or hundreds of these custom software applications. Nevertheless, the benefits provided by the embodiments herein are not limited to large enterprises, but may be adapted to enterprises or any other type of organization of any size.

Many such software applications are developed by individual departments within the enterprise. These range from simple spreadsheets to custom-built software tools and databases. However, the proliferation of isolated custom software applications has many drawbacks. It adversely affects a company's ability to operate and grow its business, innovate and meet regulatory requirements. Enterprises may find it difficult to integrate, streamline, and enhance operations because there is no single system to unify subsystems and data.

To efficiently generate custom applications, companies can benefit from a remote host application platform that eliminates unnecessary development complexity. The goal of such a platform would be to reduce time-consuming and repetitive application development tasks so that software engineers and other personal individuals can focus on developing unique and valuable features.

To achieve this goal, the concept of application platform as a service (aPaaS) was introduced to intelligently automate workflows across the enterprise. Although the aPaas system is hosted remotely from the enterprise, a secure connection allows access to data, applications and services within the enterprise. Such an aPaaS system can have many advantageous features and characteristics. These benefits and features could potentially improve enterprise operations and workflows for IT, HR, CRM, customer service, application development, and security.

The aPaaS system can support the development and execution of model view controller (MVC) applications. MVC applications divide the functionality into three interconnected parts (model, view, and controller) to separate the representation of the information from the way the information is presented to the user, thus providing an efficient code replay. Enables usage and parallel development. These applications can be web-based and can provide create, read, update, delete (CRUD) functionality. This allows new applications to be built on top of a common application infrastructure.

The aPaaS system can support standardized application components, such as standardized widget sets for graphical user interface (GUI) development. Thus, the application built using the aPaas system has a general look and feel. Other software components and modules may be standardized as well. In some cases, this look and feel may be branded or skinned with a company's custom logo and/or color scheme.

The aPaaS system can support the ability to set application behavior using metadata. This allows the application to be rapidly adapted to meet specific needs. Such an approach reduces development time and increases flexibility. In addition, the aPaas system can support GUI tools that facilitate metadata generation and management, thus reducing errors in metadata.

The aPaaS system can support well-defined interfaces between applications, thus allowing software developers to avoid unnecessary application dependencies. Therefore, the aPaas system can implement a service layer in which persistent state information and other data are stored.

The aPaaS system can support a rich set of integrated features so that the applications above it can interact with legacy and third party applications. For example, the aPaas system can support a custom employee onboard system that integrates with legacy HR, IT, and accounting systems.

The aPaaS system can support enterprise level security. Furthermore, since the aPaas system can be hosted remotely, security procedures can also be used when interacting with systems provided within the company or in third party networks or services provided outside the company. is necessary. For example, the aPaaS system can be configured to share data between businesses and other parties to detect and identify common security threats.

There may be other features, functions, and advantages of the aPaaS system. This description is for purposes of example only, and is not intended to be limiting.

As an example of the aPaaS development process, a software developer may be assigned to create a new application using the aPaaS system. First, the developer can define a data model that defines the types of data used by the application and the relationship between them. Then, the developer inputs (for example, uploads) the data model via the GUI of the aPaaS system. The aPaaS system can automatically generate all corresponding database tables, fields and relationships so that they can be accessed via the object oriented service layer.

In addition, the aPaas system can also build fully functional MVC applications with client-side interfaces and server-side CRUD logic. This generated application can serve as a basis for further development of the user. Advantageously, the developer does not have to spend a great deal of time on basic application functionality. Further, the application can be web-based so that it can be accessed from any internet-enabled client device. Alternatively or additionally, a local copy of the application may be accessed, for example when internet services are unavailable.

The aPaaS system can support a rich set of predefined features that can be added to applications. These features include support for search, email, templates, workflow design, report generation, analytics, social media, scripting, mobile friendly output, customized GUI and more.

The following embodiments describe the architectural and functional aspects of the aPaas system implementation, as well as its features and advantages.

<II. Examples of computing devices and cloud-based computing environments>
FIG. 1 is a simplified block diagram illustrating a computing device 100, illustrating some of the components that may be included in a computing device arranged to operate in accordance with embodiments herein. There is. The computing device 100 may be a client device (such as a device on which a user is actively operating), a server device (such as a device that provides computing services to the client device), or any other type of computing platform. Some server devices may act as client devices at any time to perform certain operations, and some client devices may incorporate server functionality.

In this example, computing device 100 includes processor 102, memory 104, network interface 106, and input/output unit 108, all of which may be coupled by system bus 110 or similar mechanism. In some embodiments, computing device 100 may include other components and/or peripherals (eg, removable storage, printers, etc.).

Processor 102 is a central processing unit (CPU), coprocessor (eg, mathematical, graphic, or cryptographic coprocessor), digital signal processor (DSP), network processor, and/or integrated circuitry for performing processor operations. Or it may be one or more of any type of computer processing element, such as in the form of a controller. In some cases, processor 102 may be one or more single core processors. In other cases, the processor 102 may be one or more multi-core processors with multiple independent processing units. Processor 102 may also include register memory for temporarily storing instructions being executed and associated data, and cache memory for temporarily storing recently used instructions and data.

The memory 104 may be any type of computer usable memory, including random access memory (RAM), read only memory (ROM), non-volatile memory (eg, flash memory, hard disk drive, solid state drive, compact). Discs (CDs), digital video discs (DVDs, and/or tape storage) are included, but are not limited to. Thus, memory 104 represents both a main memory unit as well as long term storage. Other types of memory can include biological memory.

The memory 104 may store program instructions and/or data on which the program instructions operate. For example, the memory 104 can store these program instructions on a non-transitory computer readable medium, thereby performing any method, process, or operation disclosed herein or in the accompanying drawings. The processor 102 thus enables the instructions to be executed.

As shown in FIG. 1, memory 104 may include firmware 104A, kernel 104B, and/or application 104C. Firmware 104A may be program code used to boot or otherwise start some or all computing devices 100. Kernel 104B may be an operating system that includes modules for memory management, process scheduling and management, input/output, and communication. Kernel 104B may also include device drivers that allow the operating system to communicate with the hardware modules (eg, memory units, networking interfaces, ports, and buses) of computing device 100. The application 104C may be one or more user space software programs, such as web browsers or email clients, as well as software libraries used by these programs. The memory 104 may also store data used by these and other programs and applications.

The network interface 106 can take the form of one or more wired interfaces, such as Ethernet (eg, high speed Ethernet, Gigabit Ethernet, etc.). The network interface 106 also supports communication across one or more non-Ethernet media such as coaxial cable or power lines, or wide area media such as Synchronous Optical Networking (SONET) or Digital Subscriber Line (DSL) technology. Can also Network interface 106 may additionally take the form of one or more wireless interfaces, such as IEEE 802.11 (Wifi), BLUETOOTH®, Global Positioning System (GPS), or wide area wireless interfaces. it can. However, other types of physical layer interfaces and other types of standard or proprietary communication protocols can be used via the network interface 106. Further, the network interface 106 may include a plurality of physical interfaces. For example, some embodiments of computing device 100 may include Ethernet, BLUETOOTH®, and WiFi interfaces.

The input/output unit 108 may facilitate interaction of users and peripherals with, for example, the computing device 100. The input/output unit 108 may include one or more types of input devices such as a keyboard, a mouse, a touch screen and the like. Similarly, the input/output unit 108 may include one or more output devices such as screens, monitors, printers, and/or one or more light emitting diodes (LEDs). Additionally or alternatively, computing device 100 may communicate with other devices using, for example, a Universal Serial Bus (USB) or High Definition Multimedia Interface (HDMI) port interface.

In some embodiments, one or more instances of computing device 100 may be deployed to support aPaas architecture. The exact physical location, connectivity, and configuration of these computing devices may be unknown and/or unimportant to the client device. As such, the computing devices may be referred to as "cloud-based" devices, which may be housed at various remote data center locations.

FIG. 2 illustrates a cloud-based server cluster 200 according to an exemplary embodiment. In FIG. 2, the operations of a computing device (eg, computing device 100) are distributed among server device 202, data storage 204, and router 206, which may all be connected by local cluster network 208. May be. The number of server devices 202, data storages 204, and routers 206 in the server cluster 200 may depend on the computing tasks and/or applications assigned to the server cluster 200.

For example, server device 202 may be configured to perform various computing tasks for computing device 100. Accordingly, computing tasks may be distributed among one or more server devices 202. To the extent that these computing tasks can be performed in parallel, the distribution of such tasks can reduce the total time to complete these tasks and return the results. For simplicity, both server cluster 200 and individual server devices 202 may be referred to as "server devices." It should be understood that this nomenclature means that in the operation of a server device, one or more separate server devices, data storage devices, and cluster routers may be involved.

Data storage 204 may be a data storage array that includes a drive array controller configured to manage read and write access to groups of hard disk drives and/or solid state drives. The drive array controller also manages a backup or redundant copy of the data stored in the data storage 204, either alone or in cooperation with the server device 202, such that one or more server devices 202 become a unit of the cluster data storage 204. It can also be configured to protect against inaccessible drive failures and other types of failures. Other types of memory may be used apart from the drive.

Router 206 can include network equipment configured to provide internal and external communications for server cluster 200. For example, router 206 may include (i) network communication between server device 202 and data storage 204 via cluster network 208, and/or (ii) server cluster 200 and other devices via communication link 210 to network 212. It may include one or more packet switching and/or routing devices (including switches and/or gateways) configured to provide network communication between.

Further, the configuration of the cluster router 206 is such that the data communication requirements of the server device 202 and the data storage 204, the latency and throughput of the local cluster network 208, the latency and throughput and cost of the communication link 210, and/or the cost and speed of the system architecture. And fault tolerance, resilience, efficiency, and/or other factors that may contribute to other design goals.

As a possible example, data storage 204 can include any type of database, such as a Structured Query Language (SQL) database. Various types of data structures can store information in such databases, including but not limited to tables, arrays, lists, trees, tuples. Further, any databases in data storage 204 can be integrated or distributed across multiple physical devices.

The server device 202 may be configured to send data to and receive data from the cluster data storage 204. The sending and retrieving may take the form of SQL queries or other types of database queries, and the output of such queries, respectively. Moreover, additional text, images, video, and/or audio may be included. Further, the server device 202 can assemble the received data into a web page representation. Such representations can take the form of hypertext markup language (HTML), extensible markup language (XML), or some other standardized or proprietary format markup language. In addition, the server device 202 may have the capability to execute various types of computerized scripting languages such as Perl, Python, PHP Hypertext Preprocessor (PHP), Active Server Pages (ASP), Javascript, and so on. Computer program code written in these languages can facilitate serving web pages to, and interacting with, client devices.

<III. Example of Remote Network Management Architecture>
FIG. 3 illustrates a remote network management architecture according to an exemplary embodiment. The architecture includes a managed network 300, a remote network management platform 320, and a third party network 340 as three main components all connected via the Internet 350.

Managed network 300 may be, for example, an enterprise network used by a business for computing and communication tasks, and storage of data. Thus, the managed network 300 may include various client devices 302, server devices 304, routers 306, virtual machines 308, firewalls 310, and/or proxy servers 312. Client device 302 may be embodied by computing device 100, server device 304 may be embodied by computing device 100 or server cluster 200, and router 306 is any type of router, switch, Alternatively, it may be a gateway.

Virtual machine 308 may be embodied by one or more computing devices 100 or server clusters 200. Generally, a virtual machine is an emulation of a computing system that mimics the functionality of a physical computer (eg, processor, memory, communication resources). A single physical computing system, such as server cluster 200, can support up to thousands of individual virtual machines. In some embodiments, virtual machines 308 are managed by a centralized server device or application that facilitates allocation of physical computing resources to individual virtual machines as well as performance and error reporting. You can Enterprises often employ virtual machines to efficiently allocate computing resources in the required way. Providers of virtualized computing systems include VMWARE(R) and MICROSOFT(R).

The firewall 310 allows one or more dedicated networks to protect the managed network 300 from unauthorized access to devices, applications, and services therein while allowing authorized communications originating from the managed network 300. It can be a router or a server device. Firewall 310 may also provide intrusion detection, web filtering, virus scanning, application layer gateways, and other applications or services. In some embodiments not shown in FIG. 3, managed network 300 may include one or more virtual private network (VPN) gateways that communicate with remote network management platform 320 (see below).

Managed network 300 may also include one or more proxy servers 312. One embodiment of the proxy server 312 may be a server device that facilitates data communication and movement between the managed network 300, the remote network management platform 320, and the third party network 340. In particular, proxy server 312 can establish and maintain secure communication sessions with one or more computer instances on remote network management platform 320. Through such a session, the remote network management platform 320 can discover and manage the architecture and configuration of the managed network 300 and its components. With the assistance of the proxy server 312 as much as possible, the remote network management platform 320 can discover and manage the appearance of the third-party network 340 used by the managed network 300.

Firewalls, such as firewall 310, are typically configured such that the session eventually originates from behind the firewall (ie, from a device on managed network 300) or the firewall explicitly supports the session. Reject all incoming communication sessions via the Internet 350, except where Placing proxy server 312 behind firewall 310 (eg, within managed network 300 and as protected by firewall 310) allows proxy server 312 to initiate these communication sessions through firewall 310. it can. Thus, the firewall 310 does not need to be specially configured to support incoming sessions from the remote network management platform 320, avoiding potential security risks to the managed network 300.

In some cases, managed network 300 may consist of a small number of devices and a small number of networks. In other deployments, the managed network 300 can span multiple physical locations and can include hundreds of networks and hundreds of thousands of devices. Thus, the architecture illustrated in Figure 3 can scale up or down by orders of magnitude.

Further, depending on the size, architecture, and connectivity of managed network 300, various numbers of proxy servers 312 may be deployed therein. For example, each one of the proxy servers 312 may be responsible for communicating with the remote network management platform 320 for a portion of the managed network 300. Alternatively or additionally, a set of two or more proxy servers may be assigned to such a portion of managed network 300 for purposes of load balancing, redundancy, high availability, etc.

The remote network management platform 320 is a hosted environment that provides aPaas services to users, especially to administrators of the managed network 300. These services can take the form of web-based portals, for example. Thus, a user can securely access the remote network management platform 320, for example, from the client device 302 or possibly from a client device external to the managed network 300. A web-based portal allows users to design, test, and deploy applications, generate reports, view analytics, and perform other tasks.

As shown in FIG. 3, remote network management platform 320 includes four computer instances 322, 324, 326, and 328. Each of these instances can represent a set of web portals, services, and applications (eg, a fully functional aPaaS system) available to a particular customer. In some cases, a single customer may use multiple instances of a computer. For example, managed network 300 may be a customer of an enterprise of remote network management platform 320 and may use computer instances 322, 324, and 326. The reason for providing multiple instances to a customer is that the customer may want to develop, test, and deploy their applications and services independently. Thus, computer instance 322 may be responsible for application development associated with managed network 300, computer instance 324 may be responsible for testing these applications, and computer instance 326 may be the tested application. And can be responsible for live operation of the service. Computer instances may also be referred to as hosted instances, remote instances, customer instances, or other designations.

The multi-instance architecture of remote network management platform 320 contrasts with conventional multi-tenant architectures, which have several advantages. In a multi-tenant architecture, data from different customers (eg, companies) are put together in one database. The data for these customers is separated from each other, but the separation is performed by software operating on a single database. As a result, a security breach in this system can affect the data of all customers, creating additional risk, especially for entities belonging to government, health care, and/or financial regulation. Furthermore, database operations that affect one customer can affect all customers who share that database. Thus, if an outage occurs due to a hardware or software error, the outage will affect all such customers. Similarly, if you upgrade a database to meet the needs of one customer, it will be unavailable to all customers during the upgrade process. Often, such maintenance windows are long due to the size of the shared database.

In contrast, the multi-instance architecture provides each customer with a dedicated database within a dedicated computing instance. This prevents customer data from getting together and allows each instance to be managed individually. For example, if one customer instance experiences an outage due to an error or upgrade, the other computer instance is not affected. Maintenance downtime is limited because the database contains data for only one customer. In addition, the simple design of the multi-instance architecture allows geographically diverse placement of redundant copies of each customer database and instance. This facilitates high availability, where live versions of customer instances can be moved when failures are detected or maintenance is being performed.

To support multiple computer instances in an efficient manner, remote network management platform 320 can implement multiple of these instances on a single hardware platform. For example, if the aPaaS system is implemented in a server cluster, such as server cluster 200, it may run a virtual machine that reserves a variable amount of computing, storage, and communication resources for an instance. However, full virtualization of server cluster 200 is not required and other mechanisms may be used to separate the instances. In some embodiments, each instance has its own account and may have one or more dedicated databases on server cluster 200. Alternatively, the computer instance 322 can span multiple physical devices.

In some cases, a single server cluster of remote network management platform 320 can support multiple independent enterprises. Further, as described below, the remote network management platform 320 may include multiple server clusters located in geographically diverse data centers to facilitate load balancing, redundancy, and/or high availability. it can.

The third party network 340 may be a remote server device (eg, a plurality of server clusters such as server cluster 200) that may be used for outsourced computing, data storage, communication, and hosting operations for services. These servers can be virtualized (ie, the servers can be virtual machines). Examples of third party networks 340 may include AMAZONWEB Services® and MICROSOFT® Asure. Similar to the remote network management platform 320, multiple server clusters supporting a third party network 340 may be located at geographically diverse locations for load balancing, redundancy, and/or high availability purposes. ..

Managed network 300 may use one or more third party networks 340 to deploy applications and services to its clients and customers. For example, if managed network 300 provides an online music streaming service, third party network 340 may store music files and provide a web interface and streaming capabilities. As such, the enterprise of managed network 300 does not need to build and maintain its own server for these operations.

The remote network management platform 320 may include a module integrated with a third-party network 340 to expose virtual machines and managed services therein to the managed network 300. The module allows users to request virtual resources and can provide flexible reporting for third party networks 340. To establish this functionality, a user of managed network 300 may first establish an account with a third party network 340 and request a set of related resources. The user can then enter account information into the appropriate modules of remote network management platform 320. These modules can automatically discover manageable resources within an account and also provide usage, performance, and billing reports.

The internet 350 may represent part of the global internet. However, the Internet 350 may alternatively represent a different type of network, such as a private wide area or local area packet switched network.

FIG. 4 further illustrates a communication environment between the managed network 300 and a computer instance 322, introducing additional functionality and alternative embodiments. In FIG. 4, a computer instance 322 is replicated between the data centers 400A and 400B. These data centers are geographically separated from each other, perhaps in different cities or different countries. Each data center includes a managed network 300 and supporting devices that facilitate communication with remote users.

At data center 400A, network traffic to and from external devices flows through VPN gateway 402A or firewall 404A. The VPN gateway 402A may be peered with the VPN gateway 412 of the managed network 300 via a security protocol such as Internet Protocol Security (IPSEC) or Transport Layer Security (TLS). Firewall 404A may be configured to allow access from authorized users, such as user 414 and remote user 416, and deny access to unauthorized users. Firewall 404A allows these users to access computer instance 322, and possibly other computer instances. The load balancer 406A may be used to distribute traffic among one or more physical or virtual server devices hosting an instance 322 of a computer. The load balancer 406A can simplify user access by making the internal configuration of the data center 400A (eg, computer instance 322) invisible to client devices. For example, if the instance of computer 322 includes multiple physical or virtual computing devices that share access to multiple databases, the load balancer 406A may determine that any computing device or database is more than that of another person. Network traffic and processing tasks can be distributed between these computing devices and databases so that they are not significantly busy. In some embodiments, the instance of computer 322 may include a VPN gateway 402A, a firewall 404A, and a load balancer 406A.

Data center 400B may include its own version of the components in data center 400A. Thus, VPN gateway 402B, firewall 404B, and load balancer 406B can perform the same or similar operations as VPN gateway 402A, firewall 404A, and load balancer 406A, respectively. In addition, real-time or near real-time database replication and other operations allow computer instances 322 to reside concurrently in data centers 400A and 400B.

As shown in FIG. 4, the data centers 400A and 400B facilitate redundancy and high availability. In the configuration of FIG. 4, the data center 400A is active and the data center 400B is passive. Thus, the data center 400A handles all traffic to and from the managed network 300, while at the same time the version of the computer instance 322 at the data center 400B is being updated in near real time. Other configurations may also be supported, such as when both data centers are active.

If data center 400A fails in any way or is otherwise unavailable to the user, data center 400B can take over as the active data center. For example, a domain name system (DNS) server that associates a domain name that associates a domain name of a computer instance 322 with one or more Internet Protocol (IP) addresses of the data center 400A may associate the domain name with one or more of the data centers 400B. Can be re-associated with the IP address of After this reassociation is complete (which can take a second or less than a few seconds), the user can access the computer instance 322 via the data center 400B.

FIG. 4 shows a possible configuration of the managed network 300. As described above, proxy server 312 and user 414 can access computer instance 322 through firewall 310. The proxy server 312 can also access the configuration item 410. In FIG. 4, the configuration item 410 includes any or all of the client device 302, the server device 304, the router 306, and the virtual machine 308, and any applications or services running thereon, as well as devices, applications, and You can refer to the relationship between services. Accordingly, the term "configuration item" refers to any physical or virtual device, or any application or service that is discovered or managed remotely by an instance 322 of a computer, or the relationship between a discovered device, application, and service. , Can be a simple phrase. The configuration item may be represented in the configuration management database (CMDB) of the instance 322 of the computer.

As mentioned above, the VPN gateway 412 may provide a dedicated VPN to the VPN gateway 402A. Such VPNs suggest or require the use of VPNs between these sites if there is a significant amount of traffic between the managed network 300 and the computer instance 322, or otherwise security policy. Sometimes it can be useful. In some embodiments, any device and/or computer instance 322 in the managed network 300 that communicates directly via a VPN is assigned a public IP address. Instances 322 of other devices and/or computers within managed network 300 may have private IP addresses (eg, 10.0.0.0 to 10.255.255.255 or 192.168.0.0 to 192). IP addresses selected from the range of .168.255.255, abbreviated to subnets 10.0.0.0/8 and 192.168.0.0/16, respectively) are assigned.

<IV. Examples of detecting devices, applications, and services>
In order for the remote network management platform 320 to manage the devices, applications, and services of the managed network 300, the remote network management platform 320 first determines which devices are present in the managed network 300, the configurations of these devices, and Determine the operating state and the applications and services by the device and the relationships between the discovered devices, applications and services. As mentioned above, each device, application, service, and relationship can be referred to as a configuration item. The process of defining configuration items within managed network 300 is called discovery and can be facilitated by at least some proxy servers 312.

For the purposes of the embodiments herein, an "application" refers to one or more processes, threads, programs, client modules, server modules, or any other software running on a device or group of devices. You can A “service” can refer to a high level function in which multiple applications running on one or more devices work in concert with each other. For example, a high level web service may execute multiple web application server threads on one device and access information from a database application running on another device.

FIG. 5A is a logical view of how a configuration item can be discovered and how information related to the discovered configuration item can be stored. Provide a depiction. For simplicity, remote network management platform 320, third party network 340, and Internet 350 are not shown.

In FIG. 5A, CMDB 500 and task list 502 are stored within computer instance 322. The computer instance 322 can send the discovery command to the proxy server 312. In response, proxy server 312 can send probes to various devices, applications, and services of managed network 300. These devices, applications, and services can send the response to the proxy server 312, which can provide the information about the detected configuration item to the CMDB 500 for storage therein. The configuration items stored in the CMDB 500 represent the environment of the managed network 300.

The task list 502 represents a list of activities that the proxy server 312 executes on behalf of the computer instance 322. When the discovery is made, the task list 502 is set. The proxy server 312 repeatedly queries the task list 502 to get the next task there, and executes this task until the task list 502 is empty or another stop condition is reached.

To facilitate discovery, proxy server 312 may be configured with information about one or more subnets in managed network 300 that are reachable via proxy server 312. For example, the proxy server 312 may allow the IP address range 192.168.8.0/24 to be provided as a subnet. The computer instance 322 can then store this information in the CMDB 500 and place a task in the task list 502 to discover the device at each of these addresses.

FIG. 5A also depicts devices, applications, and services within managed network 300 as configuration items 504, 506, 508, 510, and 512. As mentioned above, these configuration items execute on, and/or on, physical and/or virtual devices (eg, client devices, server devices, routers, or virtual machines) that each include a plurality of individual configuration items. It represents applications (eg, web servers, email servers, databases, storage arrays), relationships between them, as well as a set of services.

Placing a task in the task list 502 allows the proxy server 312 to be invoked or otherwise acted upon to initiate discovery. Alternatively or additionally, the discovery can be triggered manually or automatically based on a trigger event (eg, the discovery can be automatically triggered once a day at a particular time). Can be started).

In general, discovery can proceed in four logical phases: scanning, classification, identification, and exploration. Each phase of discovery includes various types of probe messages sent by proxy server 312 to one or more devices in managed network 300. Responses to these probes may be received and processed by proxy server 312, and their indications may be sent to CMDB 500. Thus, each phase can result in more configuration items being detected and stored in CMDB 500.

In the scan phase, the proxy server 312 probes each IP address within a specified range of IP addresses for opening a Transmission Control Protocol (TCP) and/or User Datagram Protocol (UDP) port to determine the device. The general type of can be determined. The presence of such an open port at an IP address may indicate that a particular application is running on the device to which the IP address is assigned and is in turn used by that device. Operating system. For example, if TCP port 135 is open, then the device may be running the WINDOWS operating system. Similarly, if TCP port 22 is open, then the device may be running a UNIX operating system such as LINUX. If the UDP port 161 is open, then the device can be enabled to be further identified through Simple Network Management Protocol (SNMP). There are other possibilities. If it is discovered that a device is present at a particular IP address and its open port, these configuration items are stored in CMDB 500.

In the classification phase, the proxy server 312 further probes each discovered device to determine the operating system version. The probe used for a particular device is based on the information collected about that device during the scan phase. For example, if a device with an open TCP port 22 is found, a series of UNIX specific probes may be used. Similarly, if a device is found with TCP port 135 open, a WINDOWS-specific probe set may be used. In either case, the appropriate set of tasks may be placed in task list 502 for execution by proxy server 312. These tasks can result in proxy server 312 logging on or otherwise accessing information from a particular device. For example, if TCP port 22 is open, proxy server 312 initiates a Secure Shell (SSH) connection to a particular device and retrieves information about the operating system on that device from a particular location within that file system. You can ask them to get it. Based on this information, the operating system can be determined. By way of example, a UNIX device with TCP port 22 open should be classified as AIX®, HPUX, LINUX®, MACOS®, or SOLARIS®. be able to. This classification information can be stored in the CMDB 500 as one or more configuration items.

In the identification phase, the proxy server 312 may be adapted to determine certain details about the classified device. The probes used in this phase can be based on the information collected for a particular device in the classification phase. For example, if the device is classified as LINUX®, a set of LINUX®-specific probes may be used. Similarly, if the device is classified as WINDOWS® 2012, a WINDOWS® 2012 specific set of probes may be used. As with the classification phase, the appropriate set of tasks may be placed in the task list 502 for execution by the proxy server 312. These tasks include proxy input/output system (BIOS) information, serial numbers, network interface information, and media access control addresses (es) assigned to these networks by the proxy server 312 being used by that particular device. ), IP address, etc., resulting in the reading of information from that particular device. This identification information may be stored in the CMDB 500 as one or more configuration items.

In the probe phase, the proxy server 312 may be adapted to determine details about the operational status of the classified device. The probes used in this phase can be based on information gathered about a particular device in the classification phase and/or the identification phase. Once again, the appropriate set of tasks can be placed in the task list 502 for execution by the proxy server 312. These tasks can cause the proxy server 312 to result in reading additional information from that particular device, such as processor information, memory information, a list of running processes (applications), and so on. Further, the discovered information may be stored in CMDB 500 as one or more configuration items.

Operations that perform discovery on network devices such as routers can use SNMP. Rather than or in addition to determining a list of running processes or other application-related information, the discovery also reveals additional subnets known to the router and the operational state of the router's network interface (eg, active). , Inactivity, queue length, number of dropped packets, etc.). The IP addresses of the additional subnets can be candidates for further discovery procedures. Therefore, discovery may proceed iteratively or recursively.

Once discovery is complete, a snapshot representation of each discovered device, application, and service is available in CMDB 500. For example, after discovery, the version of the operating system, the hardware configuration, and the network configuration details for the client devices, server devices, and routers in the managed network 300, as well as the applications running thereon, may be stored. Can be This collected information may be presented to the user in a variety of ways to enable the user to view the hardware configuration and operational status of the device, as well as the characteristics of services across multiple devices and applications. You can

Further, the CMDB 500 can include entries regarding dependencies and relationships between configuration items. Specifically, an application running on a particular server device, as well as services dependent on this application, may be represented as such in the CMDB 500. For example, assume that a database application is running on a server machine and that this database application is being used by a new employee onboard service and a payroll service. Therefore, it is clear that the employee onboard service and payroll service will be affected if the server device is not operated for maintenance. Similarly, dependencies and relationships between configuration items can represent services that are affected when a particular router fails.

In general, dependencies and relationships between configuration items are displayed in a web-based interface and presented in a hierarchical format. Thus, adding, modifying, or deleting such dependencies and relationships can be done via this interface.

In addition, users of managed network 300 can develop workflows that allow specific collaborative activities to occur between multiple discovered devices. For example, an IT workflow may allow a user to change a common administrator password for all discovered LINUX® devices in a single action.

In order for discovery to occur in the manner described above, proxy server 312, CMDB 500, and/or one or more credential storage devices may have credentials for one or more discovered devices. May be configured. The credentials may include any type of information needed to access the device. These can include user ID/password pairs, certificates and the like. In some embodiments, these credentials are stored in encrypted fields in CMDB 500. The proxy server 312 includes a decryption key for the credentials to enable the proxy server 312 to log on or otherwise access the device to be discovered using these credentials. be able to.

The discovery process is depicted as the flow chart in Figure 5B. In block 520, the task list in the instance of the computer is set, for example as a range of IP addresses. At block 522, the scan phase is performed. Therefore, the proxy server uses these IP addresses to probe the IP addresses of the devices and try to determine the operating system running on those devices. At block 524, the classification phase occurs. The proxy server attempts to verify the operating system version of the discovered device. At block 526, an identification phase is performed. The proxy server attempts to determine the hardware or software configuration of the discovered device. At block 528, the exploration phase occurs. The proxy server attempts to determine the operating state and applications running on the discovered device. At block 530, a further edit may be made to the configuration item representing the detected device and application. This editing is in fact automated and/or manual.

The blocks represented in Figure 5B are for illustrative purposes. Discovery is a highly configurable procedure that can have more or fewer phases, and the behavior of each phase can be different. In some cases, one or more phases may be customized or otherwise deviate from the example descriptions above.

<V. Example of email message format and phishing attack indicators>
As explained above, a managed network can host tens, hundreds, or thousands of computing devices serving the same number of users. One of the most popular network services for managed networks is email. A user on the managed network may receive many email messages per day from other users of the managed network, as well as sources external to the managed network.

In recent years, phishing has become a fashionable and effective method of cybercrime. Phishing attacks are the sending of email messages that appear to be legitimate alerts or requests for information to a large number of users, usually some of which some may be particularly targeted by "spear-phishing" attacks. including. In some cases, phishing emails may contain hyperlinks to fake websites that mimic the look and functionality of actual websites. Users are encouraged to enter sensitive personal information such as user IDs, passwords, credit card numbers, social security numbers, etc. on fake websites. Some phishing attacks include attachments in phishing emails that, when downloaded and executed on a computer device, deploy the malware to that computer device. The malware may search computing devices to send sensitive personal information to attackers, attempting to scan a managed network and attempting to reach out to other devices. There is a case.

Clearly, it is important to quickly mitigate the threat of phishing attacks, especially in managed networks that can affect large numbers of users and devices. However, to that end, understanding the format and content of the email message can help. With this understanding, attention can be focused on those parts of the email message that are likely to indicate whether the email message is a phishing attack.

For purposes of illustration, many of the embodiments described herein focus on phishing attacks that use email messages to reach users. However, it is possible to use other mechanisms in phishing attacks. Short message service (SMS) messages, as well as instant messaging (IM) and group chat messages can be used as well. Thus, the embodiments herein are not limited to email messages.

FIG. 6A shows a display 600 of an example email message. Display 600 shows how a typical email client application presents an email message to a user. The top four lines of the email message include "From", "To", "Subject", and "Date" headers, respectively. These headers are the estimated sender (Bob Smith with email address bsmith@example.com), the estimated recipient (Alice Jones with email address alice@company.com), the estimated The subject of the email ("Lunch today?") and the estimated time and date the email message was sent (Thursday, August 31, 2017 at 10:44:17 AM) are shown. The rest of this particular email message is from Bob Smith to Alice Jones, who allegedly asks them if they can meet at 12:15 for lunch. It is the body of the email that is the message. There is no attached file.

Consistent with how the email client application presents the email message, information that is not all of the actual email message is displayed on display 600. In particular, as shown in display 602, email messages often include multiple headers containing additional information. The first four rows of display 602 include the four headers displayed on display 600. However, the display 602 also includes an additional header that provides valuable information that can be used to infer whether the email message is a phishing attack.

For example, the "Delivered-To" header indicates the email address to which the email message was delivered. This header is followed by two "Received" headers. Each "Received" header is added by an email server, a gateway or a relay that forwards the email message to its destination, or the ultimate destination of the email message.

For example, the first "Received" header of display 602 shows that the device with IP address 10.103.136.1 received its email message on Thursday, August 31, 2017, 10:44:40. It is shown that. This device may be the ultimate destination email server that provides the email message to the client device.

The second "Received" header is the domain name mx. company. device having the domain name mail.com. example. com and the device with IP address 192.168.174.248 indicates that the email message was received on Thursday, August 31, 2017, 10:44:40. This header also indicates that the recipient of the message is alice@company.com. It has also been designated as com.

The information in both "Received" headers indicates that the email message is alice@company. to be delivered to mail.com. example. com by mx. company. suggesting that it was sent to com. Then, for actual delivery to Alice Jones' inbox, mx. company. com has forwarded the email message to the device with the IP address 10.103.136.1. Email messages may have several "Received" headers, which may appear in any order.

The "Received-SPF" header provides the result of a Sender Policy Framework (SPF) lookup of the estimated source host. SPF is a verification technique for detecting whether an email message was sent from a domain by an authorized host to do so. Each domain can store a list of authorized source hosts in the DNS record for that domain. Since phishing attacks often use forged "From" addresses, checking SPF records can be used to detect these attempts. Therefore, the “Received-SPF” header of the display 602 indicates that the SPF check has passed because “example.com” specifies 192.168.174.248 as the permitted sender. ..

The "Return-Path" header includes Bob Smith's email address bsmith@example. com. Generally, this header is set to the value provided by the sending system as the email bounce address-the email address to which undeliverable mail should be forwarded.

The last two headers, "Accept-Language" and "Message-I"
"D" specifies the language used in the response and the unique identifier of the email message. Both are typically set by the sender of the email message.

An email message may contain multiple headers, only an example of which is shown in Figure 6A. Some of these headers may be placed in the email message by the email server associated with the sender. Others may be placed in the email message by an intermediate email server or an email server associated with the recipient. In general, email servers can insert or overwrite almost any header when creating, sending, or receiving email messages. Therefore, email messages are particularly vulnerable to fraud and/or spoofing attacks that include forged header information.

From the information in these headers as well as the information in the body, it can be deduced whether the email message is a phishing attack. However, in order to evaluate the procedure for doing so, it is helpful to consider an example email containing such an attack.

FIG. 6B shows another example display 610 of an email message. Display 610 also shows how a typical email client application displays an email message to a user. The headers shown in display 610 include the probable sender (Felix with email address bsmith@example.com) and the probable recipient (Alice Jones with email address alice@company.com). , The estimated subject line of the email ("September payment"), and the estimated time and date the email message was sent (Friday, Septmber 8, 2017 at 1:38:08 PM). The rest of this particular email message is the body of that email, which is probably a message requesting payment of GBP 9.91. The email message also contains an attachment. This attached file has a file name extension indicating that it is a zip file including one or more compressed files.

Display 612 shows additional headers for the email message. In particular, the second "Received" header is mx. company. com has the IP address 172.20.17.194, and the domain static.com. sprof. It indicates that the email message has been received from zvnx. However, the "Received-SPF" header has the domain bankofequity. It indicates that the SPF lookup failed because co is not authorized to use the email server in 172.20.17.194 to send the email message. In addition, some of the headers contain suspicious domains. For example, the domain static. sprof. zvnx does not appear to have a legitimate top-level domain ("zvnx"), and the "Return-Path" header contains an email address that appears to be the result of random typing. The fact that the email address in the "Return-Path" header is not the same as the email address in the "From" header is not uncommon and may not be suspicious in its own right. This convention is common when sending email to mailing lists. Also, the e-mail address of the "From" header is user@bankofequity.com. Although it is co, the sender's name is also given as "Felix".

In addition, the body of the email itself is suspicious because it contains misspellings, grammatical deficiencies, improper punctuation, and unusual use of whitespace. The URL embedded in the email (http://www.bankofequity.co/wenf&23) leads to a fake website that emulates a real website and invites the visitor to his or her for the real website. You may be trying to get your credentials entered. Attachments can also be problematic as they are called zip files as well. Zip files, executable files, and other types of files are commonly used to distribute malware to recipients' computing devices. The user may download and execute the file, which will cause the malware to be installed on the computer device.

Also, each of these elements may or may not mean that the email message on displays 610 and 612 is a phishing attack. However, their combination strongly suggests that this is the case. Perhaps the strongest indicator that the email message is a phishing attack is a failed SPF lookup shown in the "Received-SPF" header.

Nevertheless, phishing attacks can be difficult to distinguish from spam emails (eg, spam). Unlike phishing attacks, spam email is generally a harmless attempt to sell a product or service and does not seek to obtain sensitive personal information about the recipient. However, determining whether a particular email message is legitimate, spam, or phishing can be challenging even for today's sophisticated machine learning techniques. Email filtering software operated by businesses or Internet Service Providers (ISPs) can detect some, but not all, phishing attacks accurately. Therefore, at least some phishing attacks will reach the user's email inbox.

To mitigate the potential damage of phishing attacks delivered to users, companies can educate employees on how to visually inspect email messages for phishing characteristics. Employees may be encouraged to forward email messages containing suspicious phishing attacks to a separate email address for further analysis by security experts.

As a result, companies may be able to get an improved assessment of the prevalence and types of phishing attacks involving their employees. By doing so, companies can detect common phishing attacks, the impact of successful phishing attacks, and mitigate this impact. For example, if a particular type of phishing attack has a definite signature (eg, a particular URL or a particular attachment that leads to a fake website), the business may want these email messages containing these attacks to be targeted. Rules can be added to the company's email filtering software to prevent it from being delivered to recipients. Alternatively or in addition, if a particular type of phishing attack succeeds and the particular malware is installed on the computer device, the company may identify which computer device is infected and take steps to eradicate the malware. Can be taken. This may include updating anti-malware software on the computing device, manually deleting files on the computing device, editing the configuration of the computing device, and/or reformatting a disk drive on the computing device and reformatting the operating system. Can include installation.

Thus, the detection, containment, and eradication of problems caused by phishing attacks can take hours or days when performed by security experts. However, time is essential when dealing with these attacks. The longer a security officer takes to mitigate the effects of a phishing attack, the more targeted this attack can be to more users and spread from infected computing devices. Due to the existence and scope of phishing attacks, and the complexity of determining the time required to address them, it is very important that the security problems caused by the attacks can continue to spread despite mitigation efforts. It is not uncommon to become.

Accordingly, the embodiments herein are technical solutions to the technical problem of addressing phishing attacks in at least a rapid manner. Furthermore, these solutions are essentially tied to computers and networking, as phishing attacks exist only in computer networking environments.

<VI. Network architecture to combat phishing attacks on managed networks>
FIG. 7A depicts a network architecture that can provide automatic security threat detection and mitigation, including threats associated with phishing attacks. The architecture includes a managed network 300 and a computer instance 322, which can communicate with each other across the Internet 714, which can be a public Internet, a private network, or a wide area network. The third party threat database 716 may also be communicatively coupled to the Internet 714.

Managed network 300 may include many devices, systems, and/or software applications, including those shown as security enforcement points in FIG. 7A. These devices are a firewall 700, an intrusion detection system (IDS)/intrusion prevention system (IPS) 702, an email server 704, an email client 706, and a client device 708.

As mentioned above, a firewall, such as firewall 700, protects the managed network 300 from unauthorized access to devices, applications, and services therein while permitting authorized communication. Can be a dedicated router or server device of

The IDS/IPS 702 can be a device or application that monitors the network for malicious activity (typically passive) or policy violations. The IPS may include at least functionality for responding to detected threats. For example, IPS may allow firewalls to be dynamically configured to block attacks or dynamically change the content of network traffic involved in the attack.

The email server 704 may be a device or software application that receives incoming mail, forwards it to the recipient's computing device, or stores it in the inbox for the recipient to review or otherwise process. can do. The email client 706 can be a device or software application that communicates with the email server 704 to receive email for one or more specific recipients. Email client 706 may also include user interface functionality that may display received email messages in a manner similar to display 600 and display 610 or in another format. The email server 704 and email client 706 can communicate according to standardized or proprietary protocols.

Client device 708 may include one or more computing devices intended for user operation. For example, these devices may be personal computers, laptops, tablets, smartphones and the like. The client device 708 can execute various types of antimalware software, such as antivirus applications that attempt to detect, quarantine, and delete malware that infects the client device 708. To do so, anti-malware software may need to be updated regularly with signatures or other indications of new types of malware.

Although not explicitly shown in FIG. 7A, any of firewall 700, IDS/IPS 702, email server 704, email client 706, and client device 708 may include a spam filter software application. Such an application may detect junk and/or unwanted email messages and attempt to prevent them from reaching the intended recipient's inbox. Email messages marked as spam can be delivered to a spam folder instead of the Inbox or can be quarantined remotely. In some cases, spam filters can also detect certain types of phishing attacks, but due to the growing sophistication of these attacks, at least some phishing attacks pass through spam filters unintentionally and can The result will be delivered to the inbox.

Some spam filters use machine learning techniques to calculate scores for email messages and use this score to determine whether to classify these email messages as spam. For example, email messages that include suspicious headers such as failed SPF lookups are scored as future email messages that also have suspicious headers are likely to be classified as spam. Similarly, email messages that have particular keywords, phrases, or URLs in the body can also be scored as being likely to be classified as spam. Such spam filters can be provided with live and non-spam examples from time to time to improve their classification capabilities.

The computer instance 322 can include a security decision point 710 and a security incident database 712. The security decision point 710 should be a device or software application that, with support from itself or other entities, analyzes reports of suspicious or actual phishing attacks to determine their characteristics and scope. You can The security incident database 712 may include a record of such phishing attacks and serves as a repository for tracking these characteristics over time and determining the range of affected devices and/or users. You can

The third-party threat database 716 may be a device and/or software application that stores feature vectors associated with security threats that include a particular observed phishing attack, including phishing attacks. The third party threat database 716 may receive a request specifying one or more features of the feature vector and immediately provide a list of one or more security threats associated with the one or more features. An API can be included. In some cases, as shown in FIG. 7A, a third party threat database 716 may be accessible via internet 714. Alternatively, the third party threat database 716 may generally be located within the instance 322 of the computer or remote network management platform 320.

The operation of these components is further illustrated in the example of Figure 7B. In particular, FIG. 7B is a message flow diagram depicting detection and mitigation of phishing attacks.

At step 720, email server 704 receives the email message. For purposes of illustration, it is assumed that the email message contains a phishing attack. For example, an email message may include the same or similar header and body content as shown in FIG. 6B.

At step 722, email server 704 applies the security policy to the email message. The policy may be predefined, for example a spam filter policy. As such, email server 704 can scan the header and/or body of the email message. For example, email server 704 can apply spam filtering techniques to classify the email message as either spam or non-spam. A phishing attack may be considered spam by its spam filter policy.

For purposes of illustration, it is assumed that the email message is not classified as spam despite the phishing attacks contained therein. As mentioned above, this is not uncommon because a successful phishing attack mimics a legitimate email message.

In either case, in step 724, email server 704 sends the email message to email client 706. There it may be viewed by a human recipient. A human recipient, if familiar, may suspect that the email message is a phishing attack. Accordingly, a human recipient may forward the email message to a designated email address and/or an inbox associated with the security decision point 710. As such, step 726 may include the email message being sent to email server 704.

In another embodiment, email server 704 or email client 706 may be able to automatically determine that the email message contains a phishing attack. In this way, any of these components can forward the email message to the security decision point 710.

Nevertheless, in step 728, the forwarded email may arrive at security decision point 710. At step 730, security decision point 710 can parse the message for observable indicators of phishing attacks. Examples of observable indicators are the estimated sender and recipient of an email message, the domain name and/or IP address of any email server involved in sending the email message, its electronic It can include the URL contained in the body of the mail message, the filename of any attachments, and/or the output of applying one-way hash function to each of these attachments.

In particular, the use of hash functions allows the file to be represented in a short fixed length format (several bytes) so that the file itself need not be stored. Examples of hash functions can include MD6 and SHA-3.

At step 732, the security decision point 710 may send at least some of these observable indicators to the third party threat database 716. Observable indicators can be represented using a feature vector format.

In response, the third party threat database 716 can perform a lookup of its observable index on the stored feature vector. If there is a match between the observable index and the one or more stored feature vectors, the third party threat database 716 can be identified as indicating the observable index threat. Accordingly, in step 734, an indication of the characterized threat may be sent to security decision point 710. This indication may be a numerical code, text string, binary identifier, or other method of representing the threat.

Examples of feature vectors are [<sender's email address>, <receiver's email address>, <mail server domain name>, <email server IP address>, <URL in email message> >, <attached file name>, <attached hash output>]. This is just one potential arrangement and other possibilities exist. In the case of the email message of FIG. 6B, the feature vector is: [“user@bankofequity.co”, “alice@company.com”, “static.sprof.zvnx”, “172.20.17.194”, “ http://www.bankofequity.co/wenf&23”, “P — 187570 — 201708”, “A7FE71AED88F”].

In some cases, the feature vector may not include element entries. For example, if a suspicious mail phishing attack without a URL or attachment was handled, the last three elements of the feature vector may contain null, an empty string, or a zero-filled value. Therefore, these factors may not be considered when matching observable indices to stored feature vectors. Moreover, not all of a given observable index needs to match every feature in the feature vector for security decision point 710 to find a match. Security decision point 710 can classify threats based on partial matches. For example, consider the example feature vector above for the email message of FIG. 6B: http://www. bankofequity. co/wenf&23 URL and P_187570_201108. Any set of observable indicators, including the name of the zip attachment, can be considered to be associated with a phishing attack.

If the security decision point 710 receives an indication from the third party threat database 716 that the provided observable indicator is associated with the threat (eg, step 734 ), then the security decision point determines that the security incident database 712. And both one or more devices on the managed network 300 can be updated.

For example, at step 736, the security decision point 710 can send a copy of the email message and/or its observable indicators to the security incident database 712. In response, at step 738, the security incident database 712 can store this information. Maintaining the security incident database 712 allows security personnel to quickly determine which users and/or devices are affected by a newly detected phishing attack. For example, the security incident database 712 can provide a graphical user interface that allows security personnel to search for previously reported observable indicators. As an example, security professionals may find that an email message has the URL http://www. bankofequity. May search for previous incidents including co/wenf&23. If more than one is found, the security officer checks the user or device associated with these previous incidents, and the user accesses the URL and/or attaches any associated file to the device. You can determine whether you downloaded.

At step 740, security decision point 710 may send the security policy update to email server 704. This security policy update is such that any future incoming email message to the email server 704 will have one or more observable indicators (eg email address, IP address, domain name, URL, attachment name). , Or the attached hash value) matches that of the circulating email message, it can be instructed to block the email message. For example, the e-mail server 704 may be URL http://www. bankofequity. co/wenf&23 or user@bankofequity.com. Delivery of any email message with a putative sender of co can be suspended. These messages can be archived for future reference or deletion.

In alternative or additional embodiments not explicitly shown in FIG. 7B, security policy updates may be sent to firewall 700. Similar to the security policy update in step 740, this security policy update causes firewall 700 to view one or more observable indicators (eg, email address, IP Incoming email messages can be instructed to be blocked that include an address, domain name, URL, attachment filename, or hash value of the attachment).

In another alternative or additional embodiment, not explicitly shown in FIG. 7B, security policy updates may be sent to email client 706. This security policy update tells the email client 706 one or more observable indicators (eg, email address, IP address, domain name, URL, attachments) that match those of the current email message. It can be instructed to block incoming email messages that contain a name, or an attached hash value).

In another alternative or additional embodiment not explicitly shown in FIG. 7B, security policy updates may be sent to one or more devices 708. This security policy update may cause anti-malware applications running on these devices to scan the file P_187570_201708 or provide evidence that such files have been downloaded or installed on that device. Can be instructed. If these devices are running endpoint firewall software, updates to their security policies will cause the firewall software to update one or more observable indicators (eg, those that match those of the current email message). , Email addresses, IP addresses, domain names, URLs, attachment file names, or hash values of attachments) can be instructed to be blocked.

In another alternative or additional embodiment not explicitly shown in FIG. 7B, security policy updates may be sent to the IDS/IPS 702 device. This security policy update tells the IDS/IPS 702 one or more observable indicators (eg, email address, IP address, domain name, URL, attachment name) that match those of the current email message. , Or an attached hash value) can be instructed to flag incoming email messages as security threats.

In some embodiments, the third party threat database may specify that the observable indicators it received in step 732 are not indicative of phishing attacks. In this case, the email message is likely to be spam. Accordingly, security decision point 710 can send the update to a spam filter that is part of either email server 704, email client 706, or another entity not shown in FIG. 7B. This update may increase the likelihood of blocking the successful delivery of future email messages that have these observable indicators (eg, such email messages may be sent to the recipient's spam folder). Sent to or quarantined somewhere). In this way, the recipient is less likely to forward the email message to security decision point 710 as a potential phishing attack if the email message is merely spam. Therefore, the conclusions drawn by security decision point 710 will be based on less "false positives" from the user, and therefore more likely to be accurate. In addition, the load on the security judgment point 710 is reduced.

<VII. Operation example>
FIG. 8 is a flow chart illustrating an exemplary embodiment. The process illustrated by FIG. 8 may be performed by a computing device, such as computing device 100, and/or a computing cluster device, such as server cluster 200 and the like. However, the process can also be performed on other types of devices or device subsystems. For example, the process can be performed by a portable computer such as a laptop or tablet device.

The embodiment of FIG. 8 can be simplified by the removal of any one or more of the features shown therein. Also, these embodiments can be combined with any of the features, aspects, and/or implementations described herein or otherwise described herein.

Block 800 may include receiving a message via a managed network at a security decision point device located within an instance of a remote network management platform computer. The message may be obtained by a particular computing device located within the managed network. An instance of the computer may be responsible for the managed network.

Block 802 may include parsing the message by the security decision point device to identify observable indicators of one or more security threats. The observable indicator can include at least one of a network address, a hyperlink, or an attachment display. The network address may be, for example, an email address, domain name, IP address, or some other form of address.

Block 804 may include remotely querying a security threat database for the observable indicator by the security decision point device.

Block 806 may include receiving, by the security decision point device, an indication from the security threat database that the observable indicator is associated with a particular security threat.

Block 808 updates the security policy of the security enforcement point device so that the security enforcement point device located in the managed network mitigates the particular security threat. It may include sending a command. The reception of the command may cause the security enforcement point device to change the operation according to the updated security policy.

In some embodiments, the message is an email message that includes the network address and the hyperlink. The network address may be stored in the header of the email message and may be the IP address to which the email message was sent. The hyperlink may be a URL contained within the body of the email message.

In some embodiments, the message is an email message that includes the network address and the hyperlink. The network address may be included in the header of the email message and may be the email address of the sender. The hyperlink may be a URL contained within the body of the email message.

In some embodiments, the representation of the attachment is a hash calculated by applying a one-way function to the attachment. In another embodiment, the indication of the attachment is the name of the attachment.

In some embodiments, the security enforcement point device is an email server device that receives email messages on behalf of the managed network. Delivery of the received email message to the email device including the network address, the hyperlink, or any file having characteristics matching the display of the attachment to the email device. Can be blocked.

In some embodiments, the security enforcement point device is an endpoint computing device on the managed network running anti-malware software. The updated security policy may cause the antimalware software to consider the attachment as malware when it appears in further email messages and quarantine the attachment. ..

In some embodiments, the security enforcement point device is a firewall device on the managed network. The updated security policy may cause the firewall to block incoming network traffic from the network address, including any file with characteristics that match the display of the hyperlink or attachment. it can.

In some embodiments, receiving the message via the managed network comprises receiving the message as an email forwarded from the particular computing device.

In some embodiments, the security decision point device is further configured to provide an alert indicating that the particular security threat has been observed. In some embodiments, the security decision point device comprises at least one of the display of the network address, the hyperlink, or the attachment in a security incident database located in an instance of the computer. And further configured to store a record of the particular security threat that has been deleted.

In some embodiments, the message is an email message including the attachment, the email message being received by an email server device associated with the managed network. The security determination point device queries the electronic mail server device to determine the number of attachment files received by the electronic mail server device, the number of email accounts to which the attached file has been delivered, and/or the attachment. It may be further configured to confirm the email account to which the file was delivered.

The security judgment point device receives a second message via the managed network, the second message is a second e-mail message, and the second message is analyzed to analyze one or more messages. The second observable index of the security threat of the above, and using the second observable index mentioned above, query the above security threat database remotely, and from the above security threat database, the above second observable index A second indication is received that the index is not associated with any of the security threats, and the email spam filter associated with the managed network receives the second message as not spam. Further configured to send the second message with a second indication to indicate that. Receiving the second message and the second indication may cause the email spam filter to update its filtering rules. The second observable indicator may include at least one of a second network address, a second hyperlink, or a second indication of a second attachment.

These embodiments facilitate understanding the scope of the threat within the organization receiving the message. In addition, they search endpoints for similar messages in email servers, for similar messages in stored logs, and through endpoint tools that retrieve the hash of any suspicious file attachments. And can be enhanced.

<Conclusion>
This disclosure is not intended to be limited in terms of the particular embodiments described herein, but is intended to be illustrative of various aspects. Many modifications and variations will be apparent to those of ordinary skill in the art and can be made without departing from the scope thereof and are functionally equivalent within the scope of the disclosure in addition to those described herein. The method and apparatus will be apparent to those skilled in the art from the foregoing description. Such modifications and variations are intended to fall within the scope of the appended claims.

The above detailed description describes various functions and operations of the systems, devices, and methods disclosed in connection with the accompanying drawings. The exemplary embodiments described herein and in the drawings are not intended to be limiting. Other embodiments may be utilized and other changes may be made without departing from the scope of the subject matter provided herein. It is readily apparent that aspects of the disclosure may be arranged, replaced, combined, separated, and designed in a wide variety of different configurations, as generally described herein and illustrated in the figures. To be understood.

Based on the exemplary embodiments, in connection with the message flow diagrams, scenarios, and flow charts described herein and herein, each step, block, and/or communication involves processing and/or communicating information. Can represent a transmission. Alternate embodiments are included within the scope of these exemplary embodiments. In these alternative embodiments, the acts described as steps, blocks, transmissions, communications, requests, responses, and/or messages, for example, may be performed out of order from what is shown or described. , Which may include substantially simultaneous or reverse order, and may be dependent on the function involved. Moreover, more or less blocks and/or acts may be used in any of the message flow diagrams, scenarios, and flowcharts described herein, and these message flow diagrams, scenarios, and flowcharts may only partially Or they can be combined with each other as a whole.

The steps or blocks representing the processing of information may correspond to circuits that may be configured to perform the specific logical functions of the methods or techniques described herein. Alternatively or additionally, steps or blocks representing the processing of information may correspond to modules, segments, or portions of program code (including associated data). The program code can include one or more instructions executable by a processor to implement a particular logical operation or action in any of the above methods or techniques. The program code and/or associated data can be stored on any type of computer readable media, such as storage devices including RAM, disk drives, solid state drives, or other storage media.

The computer readable medium may also include non-transitory computer readable media, such as register memory and processor caches, which store data for a short period of time. The computer readable medium can further include a non-transitory computer readable medium that stores program code or data for a longer period of time. Thus, the computer-readable medium may include secondary or permanent long-term storage such as, for example, ROM, optical or magnetic disks, solid state drives, compact disk read only memory (CD-ROM). The computer readable medium can also be any other volatile or non-volatile storage system. Computer-readable media are considered to be computer-readable storage media, which are, for example, tangible storage devices.

Moreover, one or more information-representing steps or blocks may correspond to communicating information between software and/or hardware modules within the same physical device. However, other communication can be between software and/or hardware modules of different physical devices.

The particular arrangements in the figures should not be seen as limiting. It is to be understood that other embodiments can include more or less of each element shown in a given drawing. Furthermore, some of the illustrated elements may be combined or omitted. Still further, the exemplary embodiments can include elements not illustrated in the figures.

Although various aspects and embodiments have been disclosed herein, other aspects and embodiments will be apparent to those skilled in the art. The various aspects and embodiments disclosed herein are for purposes of illustration and not limitation, the true scope of which is set forth by the following claims.

Claims (20)

A system configured to detect and mitigate phishing attacks on a network, the system comprising:
An email server having a spam filter configured to apply one or more filtering rules to messages sent to one or more client devices associated with the network;
Security judgment point application,
Equipped with
The security judgment point application is
Receiving the message from the email server, wherein the message is not classified as spam by the spam filter and is presumed to be a phishing attack;
Parsing the message for an observable indicator of the phishing attack;
Querying a security threat database for the observable indicator, the security threat database configured to determine whether the observable indicator is associated with a known phishing attack. ,
Receiving the result of the determination from the security threat database;
In response to the result indicating that the observable indicator is not associated with the known phishing attack, the update for classifying future messages having the observable indicator as spam is described above. Sending to a spam filter,
A system that is configured to run. The security decision point application blocks the future message having the observable indicator in response to the result indicating that the observable indicator is associated with the known phishing attack. The system of claim 1, configured to send additional updates to the email server to. The system of claim 1, wherein the observable indicators include network addresses, hyperlinks, attachment display, sender names, or recipient names. The system of claim 3, wherein the representation of the attachment is a hash calculated by applying a one-way function to the attachment. The security threat database comprises one or more feature vectors indicating an array of known observable indicators associated with the known phishing attack, and the security threat database includes the observable indicators in the 1 The system of claim 1, wherein the system is configured to determine whether the observable indicator is associated with the known phishing attack by comparing with one or more feature vectors. The security judgment point application is
Receive a query from the computing device for a particular observable indicator,
Determining whether the particular observable indicator is maintained in the security threat database,
Information indicating one or more configuration items that received at least one message having the particular observable indicator based on the determination that the particular observable indicator is maintained in the security threat database; Sending to the computing device for display,
The system of claim 1, wherein the system is configured to: The system of claim 1, wherein the message comprises an email message, a short message service (SMS) message, an instant messaging (IM) message, or a group chat message. The message includes an email message having an attachment, the security decision point application is configured to determine the number of times the attachment is received by the email server, the number of email accounts to which the attachment is delivered, the attachment. The system of claim 1, wherein the system is configured to query the email server to determine the email account to which a file was delivered, or any combination thereof. Receiving a message from an email server having a spam filter by a security decision point application, wherein the message is not classified as spam by the spam filter and is presumed to be a phishing attack;
Parsing the message for observable indicators of phishing attacks by the security decision point application;
Querying a security threat database for the observable indicator by the security decision point application, the security threat database determining whether the observable indicator is associated with a known phishing attack. Consists of
Receiving the result of the determination from the security threat database by the security determination point application;
In response to the result indicating that the observable indicator is not associated with the known phishing attack, the security decision point application causes future messages with the observable indicator as spam. Sending updates to the spam filter for classification,
Including the method. In response to the result indicating that the observable indicator is associated with the known phishing attack, the security decision point application blocks the future message having the observable indicator. 10. The method of claim 9, comprising sending additional updates to the email server to do so. 10. The method of claim 9, wherein the observable indicators include network addresses, hyperlinks, attachment display, sender names, or recipient names. The method of claim 11, wherein the representation of the attachment is a hash calculated by applying a one-way function to the attachment. The security threat database comprises one or more feature vectors indicating an array of known observable indicators associated with the known phishing attack, and the security threat database includes the observable indicators in the 1 10. The method of claim 9, configured to determine if the observable indicator is associated with the known phishing attack by comparing with one or more feature vectors. Receiving a query from the computing device for a particular observable indicator by the security decision point application;
Determining by the security decision point application whether the particular observable indicator is maintained in the security threat database;
One or more that have received at least one message with the particular observable indicator by the security decision point application based on the determination that the particular observable indicator is maintained in the security threat database. Sending information indicating a configuration item to the computing device for display;
The method of claim 9, further comprising: 10. The method of claim 9, wherein the message comprises an email message, a short message service (SMS) message, an instant messaging (IM) message, or a group chat message. The message comprises an email message with an attachment, the method comprising:
By the security judgment point application, the number of times the attachment file is received by the email server, the number of email accounts to which the attachment file is delivered, the email account to which the attachment file is delivered, or those Querying the email server to determine any combination,
10. The method of claim 9, comprising: A tangible, non-transitory computer-readable medium containing instructions, wherein the instructions, when executed by one or more processors, cause the one or more processors to:
Receiving a message from an email server having a spam filter, said message not being classified as spam by said spam filter and presumed to be a phishing attack.
Parsing the message for observable indicators of phishing attacks;
Querying a security threat database for the observable indicator, the security threat database configured to determine whether the observable indicator is associated with a known phishing attack. ,
Receiving the result of the determination from the security threat database;
In response to the result indicating that the observable indicator is not associated with the known phishing attack, the update for classifying future messages having the observable indicator as spam is described above. Sending to a spam filter,
And a tangible, non-transitory computer-readable medium that carries out Responsive to the one or more processors in response to the result indicating that the observable indicator is associated with the known phishing attack, the upcoming message having the observable indicator. 18. The tangible, non-transitory computer-readable medium of claim 17, including instructions that cause additional updates to block to be sent to the email server. 18. The tangible non-transitory computer readable medium of claim 17, wherein the observable indicators include network addresses, hyperlinks, attachment display, sender names, or recipient names. The security threat database comprises one or more feature vectors indicating an array of known observable indicators associated with the known phishing attack, and the security threat database includes the observable indicators in the 1 18. The tangible non-transitory computer of claim 17, configured to determine if the observable indicator is associated with the known phishing attack by comparing with one or more feature vectors. Readable medium.